OmniFaces RCE: Server-Side EL Injection Poses High Risk
The National Vulnerability Database has disclosed CVE-2026-41883, a critical server-side EL injection vulnerability in OmniFaces, a widely used utility library for Faces applications. This flaw, rated with a CVSS score of 8.1 (HIGH), allows for Remote Code Execution (RCE) and affects versions prior to 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.
Attackers can exploit this by crafting a malicious resource request URL containing an EL expression. This expression is then evaluated server-side, granting arbitrary code execution. The vulnerability specifically targets applications utilizing CDNResourceHandler with a wildcard CDN mapping, such as libraryName:*=https://cdn.example.com/*.
This is a direct path to full system compromise. The attacker’s calculus here is simple: if they can get an EL expression to execute, they own the server. The high CVSS score reflects the network-exploitable nature and complete compromise potential, with no user interaction or prior privileges required for initial access. This isn’t theoretical; it’s a critical attack vector.
What This Means For You
- If your organization uses OmniFaces with `CDNResourceHandler` and a wildcard CDN mapping, you are directly exposed to RCE. Immediately identify all instances of OmniFaces in your environment and ensure they are patched to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, or 5.2.3 or newer. This isn't a 'monitor for exploitation' situation; this is a 'patch now' mandate.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41883: OmniFaces RCE via Server-Side EL Injection
title: CVE-2026-41883: OmniFaces RCE via Server-Side EL Injection
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-41883 by identifying requests targeting the '/javax.faces.resource/' path and containing EL expressions ('${' and '}') within the query string. This pattern is specific to the server-side EL injection vulnerability in OmniFaces when using CDNResourceHandler with wildcard CDN mappings.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41883/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/javax.faces.resource/'
cs-uri-query|contains:
- '${'
cs-uri-query|contains:
- '}'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41883 | RCE | OmniFaces versions < 1.14.2 |
| CVE-2026-41883 | RCE | OmniFaces versions < 2.7.32 |
| CVE-2026-41883 | RCE | OmniFaces versions < 3.14.16 |
| CVE-2026-41883 | RCE | OmniFaces versions < 4.7.5 |
| CVE-2026-41883 | RCE | OmniFaces versions < 5.2.3 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...